Case Study

The Ultimate Target

In 2013 US retail giant Target was subject to one of the worst corporate hacks in history, affecting the financial data of 40 million customers. Billy Bambrough asks what lessons can be learnt from the costly breach

Almost four years later, and the effects of the Target data breach are still rippling out.

In May, three years and six months after details of the hack first began to emerge, the US retail giant agreed to pay $18.5m to settle claims by 47 states and the District of Columbia, and resolve a multi-state investigation into the massive data breach.

Target said the total cost of the data breach has climbed to $202m.

Target's hack: as it happened

Hackers stole 40 million credit and debit card details of shoppers who had visited Target stores during the 2013 holiday season – with another 30 million losing some form of personal data.

The hackers – working though a Target contractor in Pittsburgh that was connected to the retailer’s electronic billing services – stole customer names, encrypted PIN data, credit and debit card numbers and card expiration dates, as well as the embedded code on the magnetic strip of cards used at Target between 27 November and 15 December 2013.

“It was an extraordinary breach. On a scale of one to ten it’s at least an eight or a nine.”

Using the contractor credentials to exploit weaknesses in Target's system, the attackers gained access to a customer service database, and installed malware on the system that recorded card details.

Between 1 million and 3 million of the stolen cards were successfully sold on the dark web and used in fraudulent transactions. That hackers make off with such complete financial data is rare; that they are able to get such a huge haul is unprecedented.

“As soon as details began to emerge it was apparent it was significant; the scale of the number of people affected,” says Neil Saunders, retail analyst at GlobalData. “It was an extraordinary breach. On a scale of one to ten it’s at least an eight or a nine.”

In the aftermath of the hack

Details trickled out, with news of the breach first reported by digital security blog Krebs on Security, however Target seriously suffered as a result of its slow response. On 19 December, a day after the story broke but almost a week after Target had appointed a third-party forensic team to handle the attack, the company publicly acknowledged the breach for the first time.

Unsurprisingly, the hack shook customer confidence in the company. “It erodes and undermines trust in the short term, but it has longer term issues as well,” says Saunders. “Putting this right is expensive and difficult.”

The Target share price dropped by 10% in a matter of weeks following the attack, and would not recover for almost a year.

“Taking responsibility is good, but consumers don’t really care about who resigns and who stays.”

Target has, however, done quite well in managing to rebuild its brand, even in the direct aftermath. The company admitted fault relatively early and sought to drum up some positive press by offering customers 10% off pre-Christmas in-store purchases.

The hack also cost the Target chief executive Gregg Steinhafel, a 35 year company veteran, his job. Meanwhile, the company chief information officer was also forced out, and members of Target’s board of directors were threatened with removal.

“Taking responsibility is good, but consumers don’t really care about who resigns and who stays,” explains Saunders. “Where it is useful is that it takes the heat out of the media coverage. The fallout would probably have been worse if Steinhafel hadn’t gone though.”

Perhaps more effective in building consumer confidence were the efforts made to recompense shoppers who had trusted the company with their financial details.

Target provided free credit monitoring services for consumers affected by the breach and, as part of a $10m class-action lawsuit settlement reached in 2015, the company agreed to pay up to $10,000 to consumers who could provide evidence that they suffered losses from the data breach.

Could Target's hack be repeated?

Much has changed since the Target breach, with better security practices now in place. But has enough changed to ensure a similar attack is less likely, or even impossible? The short answer is no.

“Even with the best security in the world there will always be another hack,” says Saunders. “It’s a constant threat.”

“Even with the best security in the world there will always be another hack.”

While Saunders is confident retailers are doing more, and some – especially the big ones – are spending a lot of money on cybersecurity, the sophistication of the hacks is increasing.

“I think we will see more attacks because the data is now more valuable,” he adds.

Protection via the cloud

While a Target-type hack – being infiltrated by criminals who then steal data – is never going to be entirely preventable, there is progress being made at a technological level.

Ian Massingham, chief evangelist at Amazon Web Services, sees the move to the cloud as a positive one for cybersecurity.

“Ransomware attacks – similar to the recent WannaCry and Petya attacks – could be better defeated by using the cloud,” says Massingham, though he admits that the cloud would have been unlikely to have prevented the Target breach if the contractors had access to the back-end system.

“Ransomware attacks could be better defeated by using the cloud.”​​​​​​​

“The cloud can protect you from phishing attacks better than running things locally,” he adds. A recent report from cybersecurity software company PhishMe, for example, found that 91% of cyber attacks start with a phishing email.

As a result, the migration to the cloud has largely been driven by companies seeking to provide better protection for their customers.

However, while digital progress is required to stay ahead of hackers, it can’t be all that’s done. Even the best cybersecurity system in the world is useless if, as with Target hack, the keys are handed to the wrong person.

Image courtesy of Jonathan Weiss / Shutterstock.com

The Target Hack in Numbers

$202m

The overall cost to Target almost four years on from the unprecented data breach

$200m

The estimated cost to credit unions and community banks for reissuing 21.8 million cards

$100m

The amount Target spent on upgrading to support Chip-and-PIN – though it wouldn’t have stopped the breach

70 million

The number of records stolen that included the name, address, email and phone number of Target shoppers

40 million

The number of credit and debit cards thieves stole from Target between 27 November and 15 December, 2013

​​​​​​​$18.5m

The settlement in dollars that Target reached in May with 47 states and the District of Columbia

1 million – 3 million​​​​​​​

The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud

46%

The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before

29%

The percentage of Americans thought to have been affected by the breach

137

The number of days Gregg Steinhafel lasted as CEO following the company’s acknowledgement of the hack

$202m

The overall cost to Target almost four years on from the unprecented data breach

$200m

The estimated cost to credit unions and community banks for reissuing 21.8 million cards

$100m

The amount Target spent on upgrading to support Chip-and-PIN – though it wouldn’t have stopped the breach

70 million

The number of records stolen that included the name, address, email and phone number of Target shoppers

40 million

The number of credit and debit cards thieves stole from Target between 27 November and 15 December, 2013

​​​​​​​$18.5m

The settlement that Target reached in May with 47 states and the District of Columbia

1 million – 3 million​​​​​​​

The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud

46%

The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before

29%

The percentage of Americans thought to have been affected by the breach

137

The number of days Gregg Steinhafel lasted as CEO following the company’s acknowledgement of the hack